Fossil

View Ticket
Login

View Ticket

Plaintext
2010-01-10
04:57 Ticket [e523287834] user passwords are stored in plain text status still Closed with 1 other change ... (artifact: b553e1c6ba user: rwilson)
04:54 Ticket [e523287834]: 1 change ... (artifact: b6df22e756 user: anonymous)
2009-09-14
19:19 Ticket [e523287834]: 1 change ... (artifact: dc51a0c195 user: drh)
19:16
Add the "scrub" command to remove passwords and other sensitive information from a repository. Ticket [e5232878345]. ... (check-in: 6c6a978a53 user: drh tags: trunk)
16:40 Ticket [e523287834] user passwords are stored in plain text status still Closed with 1 other change ... (artifact: ee691527a4 user: rwilson)
2009-09-12
15:53 Closed ticket [e523287834]. ... (artifact: dec4007b46 user: drh)
12:49 New ticket [e523287834]. ... (artifact: 683bb7d526 user: rwilson)
Ticket Hash: e5232878345cb71d17cc1631b12dd5903b3d272f
Title: user passwords are stored in plain text
Status: Closed Type: Feature_Request
Severity: Important Priority:
Subsystem: Resolution: Works_As_Designed
Last Modified: 2010-01-10 04:57:11
Version Found In: 6021279637
Description:
user passwords are stored in the fossil repository as plain text instead of a hash.

drh added on 2009-09-12 15:53:03:
There are two options:

  1. User passwords can be stored cleartext in the local database but sent over the wire (during sync) as a hash.
  1. User passwords are stored has a hash in the local database but are sent in the clear over the wire during a sync.

We believe that (1) is the better choice since it requires an attacker to be able to see the local database in order to find passwords, and if the attacker can see the local database, then he has already compromised the machine. But with (2), the attack need only passively monitor network communications in order to steal passwords.

rwilson added on 2009-09-14 16:40:15:
there should be some 'best practice faq' for fossil then, because if i store the same username/password in my local repository as is in the remote repository, then compromising my local also compromises the remote. also, i assumed that fossil was storing a hash of my password, so i chose a password that i use frequently on the internet. so, now that you know what that is, please don't drain my checking account.

drh added on 2009-09-14 19:19:08:
New "scrub" command remove private information from a repository. Check-in [6c6a978a537]

rwilson added on 2010-01-10 04:54:59:
fixed in [cfe33dcf92] - hurray!